8 changed files with 357 additions and 0 deletions
@ -0,0 +1,21 @@
|
||||
MIT License |
||||
|
||||
Copyright (c) 2022 TiMMi Transport |
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy |
||||
of this software and associated documentation files (the "Software"), to deal |
||||
in the Software without restriction, including without limitation the rights |
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
||||
copies of the Software, and to permit persons to whom the Software is |
||||
furnished to do so, subject to the following conditions: |
||||
|
||||
The above copyright notice and this permission notice shall be included in all |
||||
copies or substantial portions of the Software. |
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
||||
SOFTWARE. |
@ -0,0 +1,71 @@
|
||||
This repository contains the completely declarative+reproducible configurations to deploy a server hosting the „beherbergung“ service and basic infrastructure for reliabiliy+maintainability. |
||||
Most of the service definitions should re reusable with minimal adaptions for completely different projects. |
||||
|
||||
* CI/CD |
||||
* buildcache |
||||
* [monitoring + alerting](./modules/monitoring/README.md) |
||||
* backup |
||||
* dns |
||||
* reverse proxy + acme |
||||
|
||||
Secrets are encrypted with sops. |
||||
|
||||
## Deploy |
||||
|
||||
Once the servers are installed following [the bootstrap instructions](#bootstrap), the roll out of configuration changes on all servers is trivial. |
||||
As a developer with an [authorized key](./modules/hetzner.nix), call: |
||||
|
||||
```shell |
||||
nix run |
||||
``` |
||||
|
||||
## Update |
||||
|
||||
To update all flakes and redeploy, call: |
||||
|
||||
```shell |
||||
nix flake update |
||||
nix run |
||||
``` |
||||
|
||||
## Bootstrap |
||||
|
||||
To setup a new server: |
||||
1. boot a nixos image |
||||
2. mount the future / to /mnt |
||||
3. copy this repo to /mnt/etc/nixos |
||||
4. check flake.nix and hosts/$HOSTNAME/\*configuration.nix |
||||
- set a correct static ipv6 |
||||
5. nixos-install: |
||||
|
||||
```shell |
||||
nix-shell -p nixUnstable --command "nixos-install --no-root-passwd --flake .#${HOSTNAME}" |
||||
``` |
||||
|
||||
6. setup sops: |
||||
|
||||
6.1. add the new hosts key to sops config |
||||
|
||||
```shell |
||||
nix shell /etc/nixos#ssh-to-pgp --command ssh-to-pgp -i /etc/ssh/ssh_host_rsa_key |
||||
edit .sops.yaml sops/keys/hosts/$HOSTNAME.asc |
||||
``` |
||||
|
||||
6.2. add pubkey to the developers keyring |
||||
```shell |
||||
gpg --import sops/keys/hosts/$HOSTNAME.asc |
||||
``` |
||||
|
||||
6.3. edit secrets + use them |
||||
|
||||
```shell |
||||
nix shell .#sops --command sops sops/secrets/* |
||||
edit modules/sops.nix |
||||
``` |
||||
|
||||
## Ensure, outgoing SMTP is permitted by your hoster: |
||||
|
||||
```shell |
||||
openssl s_client -connect smtp.1und1.de:587 -starttls smtp |
||||
openssl s_client -connect smtp.1und1.de:465 |
||||
``` |
@ -0,0 +1,15 @@
|
||||
{ config, pkgs, ... }: |
||||
{ |
||||
imports = [ |
||||
../../modules/hetzner.nix |
||||
]; |
||||
|
||||
system.stateVersion = "21.11"; |
||||
|
||||
networking = { |
||||
hostName = "beherbergung-lifeline"; |
||||
interfaces.ens3 = { |
||||
ipv6.addresses = [ { address = "2a01:4f8:c0c:cf13::1"; prefixLength = 64; } ]; |
||||
}; |
||||
}; |
||||
} |
@ -0,0 +1,15 @@
|
||||
{ config, pkgs, ... }: |
||||
{ |
||||
time.timeZone = "Europe/Berlin"; |
||||
|
||||
environment.systemPackages = with pkgs; [ |
||||
vim tmux |
||||
wget curl |
||||
htop atop iotop iftop |
||||
file bc jq |
||||
git |
||||
bind.dnsutils |
||||
]; |
||||
|
||||
environment.variables = { EDITOR = "vim"; }; |
||||
} |
@ -0,0 +1,48 @@
|
||||
## a common hardware-configuration.nix for our hetzner servers |
||||
|
||||
{ config, lib, pkgs, modulesPath, ... }: |
||||
{ |
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; |
||||
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; |
||||
boot.initrd.kernelModules = [ ]; |
||||
boot.kernelModules = [ ]; |
||||
boot.extraModulePackages = [ ]; |
||||
|
||||
fileSystems."/" = { |
||||
device = "/dev/sda1"; |
||||
fsType = "ext4"; |
||||
}; |
||||
|
||||
swapDevices = [ ]; |
||||
|
||||
boot.loader.grub = { |
||||
enable = true; |
||||
version = 2; |
||||
devices = [ "/dev/sda" ]; |
||||
}; |
||||
|
||||
networking = { |
||||
useDHCP = false; |
||||
interfaces.ens3 = { |
||||
useDHCP = true; |
||||
#ipv6.addresses ## should be set for each host |
||||
}; |
||||
defaultGateway6 = { |
||||
address = "fe80::1"; |
||||
interface = "ens3"; |
||||
}; |
||||
}; |
||||
|
||||
users.users.root = { |
||||
openssh.authorizedKeys.keys = [ |
||||
## J03 |
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDW+YfsFtRz1h/0ubcKU+LyGfxH505yUkbWa5VtRFNWF2fjTAYGj6o5M4dt+fv1h370HXvvOBtt8sIlWQgMsD10+9mvjdXWhTcpnYPx4yWuyEERE1/1BhItrog6XJKAedbCDpQQ+POoewouiHWVAUfFByPj5RXuE8zKUeIEkGev/QKrKTLnTcS8zFs/yrokf1qYYR571B3U8IPDjpV/Y1GieG3MSNaefIMCwAAup1gPkUA0XZ4A1L7NdEiUEHlceKVu9eYiWUM+wDRunBXnLHubeGyP8KmBA7PNKgml3WWRNTZjqNQk4u9Bl+Qea5eCkD8KI257EqgXYXy0QBWNyF8X j03@l302" |
||||
]; |
||||
}; |
||||
|
||||
services.openssh = { |
||||
enable = true; |
||||
permitRootLogin = "prohibit-password"; |
||||
}; |
||||
} |
@ -0,0 +1,16 @@
|
||||
{ config, pkgs, nixpkgs, ... }: |
||||
{ |
||||
boot.cleanTmpDir = true; |
||||
|
||||
nix.package = pkgs.nixUnstable; |
||||
nix.extraOptions = "experimental-features = nix-command flakes"; |
||||
|
||||
#nix.daemonIONiceLevel = 7; |
||||
#nix.daemonNiceLevel = 19; |
||||
|
||||
nix.autoOptimiseStore = true; |
||||
nix.gc = { |
||||
automatic = true; |
||||
dates = "weekly"; |
||||
}; |
||||
} |
@ -0,0 +1,107 @@
|
||||
{ |
||||
"nodes": { |
||||
"dns": { |
||||
"inputs": { |
||||
"flake-utils": "flake-utils", |
||||
"nixpkgs": [ |
||||
"nixpkgs" |
||||
] |
||||
}, |
||||
"locked": { |
||||
"lastModified": 1635273082, |
||||
"narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=", |
||||
"owner": "kirelagin", |
||||
"repo": "dns.nix", |
||||
"rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a", |
||||
"type": "github" |
||||
}, |
||||
"original": { |
||||
"owner": "kirelagin", |
||||
"repo": "dns.nix", |
||||
"type": "github" |
||||
} |
||||
}, |
||||
"flake-utils": { |
||||
"locked": { |
||||
"lastModified": 1614513358, |
||||
"narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=", |
||||
"owner": "numtide", |
||||
"repo": "flake-utils", |
||||
"rev": "5466c5bbece17adaab2d82fae80b46e807611bf3", |
||||
"type": "github" |
||||
}, |
||||
"original": { |
||||
"owner": "numtide", |
||||
"repo": "flake-utils", |
||||
"type": "github" |
||||
} |
||||
}, |
||||
"nix-deploy-git": { |
||||
"inputs": { |
||||
"nixpkgs": [ |
||||
"nixpkgs" |
||||
] |
||||
}, |
||||
"locked": { |
||||
"lastModified": 1637044180, |
||||
"narHash": "sha256-5r3pOGql5wr0PtuOb0rJ0EeorcT3A43tWYRRvnZB0jk=", |
||||
"owner": "johannesloetzsch", |
||||
"repo": "nix-deploy-git", |
||||
"rev": "c1c0b1def56009e8647bfe57c555c6bea0fb2b1a", |
||||
"type": "github" |
||||
}, |
||||
"original": { |
||||
"owner": "johannesloetzsch", |
||||
"ref": "main", |
||||
"repo": "nix-deploy-git", |
||||
"type": "github" |
||||
} |
||||
}, |
||||
"nixpkgs": { |
||||
"locked": { |
||||
"lastModified": 1646588256, |
||||
"narHash": "sha256-ZHljmNlt19nSm0Mz8fx6QEhddKUkU4hhwFmfNmGn+EY=", |
||||
"owner": "NixOS", |
||||
"repo": "nixpkgs", |
||||
"rev": "2ebb6c1e5ae402ba35cca5eec58385e5f1adea04", |
||||
"type": "github" |
||||
}, |
||||
"original": { |
||||
"owner": "NixOS", |
||||
"ref": "nixos-21.11", |
||||
"repo": "nixpkgs", |
||||
"type": "github" |
||||
} |
||||
}, |
||||
"root": { |
||||
"inputs": { |
||||
"dns": "dns", |
||||
"nix-deploy-git": "nix-deploy-git", |
||||
"nixpkgs": "nixpkgs", |
||||
"sops-nix": "sops-nix" |
||||
} |
||||
}, |
||||
"sops-nix": { |
||||
"inputs": { |
||||
"nixpkgs": [ |
||||
"nixpkgs" |
||||
] |
||||
}, |
||||
"locked": { |
||||
"lastModified": 1646696263, |
||||
"narHash": "sha256-a+6WgDoU2fd4bbSFMqK67i/ZTPzia29otmyeODa1uDU=", |
||||
"owner": "Mic92", |
||||
"repo": "sops-nix", |
||||
"rev": "4e21493d34f7485a568e05b9cbefa11fe047ecd3", |
||||
"type": "github" |
||||
}, |
||||
"original": { |
||||
"owner": "Mic92", |
||||
"repo": "sops-nix", |
||||
"type": "github" |
||||
} |
||||
} |
||||
}, |
||||
"root": "root", |
||||
"version": 7 |
||||
} |
@ -0,0 +1,64 @@
|
||||
{ |
||||
description = "https://github.com/internet4refugees/beherbergung.git development environment + package + deployment"; |
||||
|
||||
inputs = { |
||||
#nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; |
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11"; |
||||
sops-nix = { |
||||
url = "github:Mic92/sops-nix"; |
||||
inputs.nixpkgs.follows = "nixpkgs"; |
||||
}; |
||||
nix-deploy-git = { |
||||
url = "github:johannesloetzsch/nix-deploy-git/main"; |
||||
inputs.nixpkgs.follows = "nixpkgs"; |
||||
}; |
||||
dns = { |
||||
url = "github:kirelagin/dns.nix"; |
||||
inputs.nixpkgs.follows = "nixpkgs"; |
||||
}; |
||||
}; |
||||
|
||||
outputs = { self, nixpkgs, sops-nix, nix-deploy-git, dns }: |
||||
let |
||||
system = "x86_64-linux"; |
||||
pkgs = import nixpkgs { inherit system; }; |
||||
inherit (pkgs) lib; |
||||
|
||||
commonAttrs = { |
||||
system = "x86_64-linux"; |
||||
extraArgs = { flake = self; inherit system dns; }; |
||||
}; |
||||
commonModules = [ |
||||
./deployment/modules/nix.nix |
||||
./deployment/modules/default.nix |
||||
#sops-nix.nixosModules.sops |
||||
#./deployment/modules/sops.nix |
||||
#./deployment/modules/dns.nix |
||||
#./deployment/modules/monitoring/client.nix |
||||
#./deployment/modules/nginx/timmi.nix |
||||
#nix-deploy-git.nixosModule |
||||
#./deployment/modules/nix-deploy-git.nix |
||||
]; |
||||
in |
||||
rec { |
||||
legacyPackages.${system} = (lib.mergeAttrs pkgs { |
||||
#nixos-deploy = import ./tools/deploy.nix { inherit pkgs; }; |
||||
}); |
||||
|
||||
#defaultPackage.${system} = legacyPackages.${system}.nixos-deploy; |
||||
|
||||
nixosConfigurations = { |
||||
|
||||
beherbergung-lifeline = nixpkgs.lib.nixosSystem (lib.mergeAttrs commonAttrs { |
||||
modules = commonModules ++ [ |
||||
./deployment/hosts/beherbergung-lifeline/configuration.nix |
||||
#./deployment/modules/nginx/timmi-public.nix |
||||
#./deployment/modules/binarycache/client.nix |
||||
#./deployment/modules/binarycache/server.nix |
||||
#./deployment/modules/monitoring/server.nix |
||||
]; |
||||
}); |
||||
|
||||
}; |
||||
}; |
||||
} |
Loading…
Reference in new issue